====== NAT logging for Cisco ASR ======


Cisco ASR 1000 series routers are popular as internet edge device. One of the functions ASR 1K provides is NAT deployed to conserve public IP space.   For these ISPs keeping a log of NAT translations is a regulatory compliance called IPDR (IP Data Record).  Trisul Network Analytics IPDR helps ISPs meet this compliance requirement. 

This note explains how you can configure NAT logging on ASR

===== Use NetFlow NAT Logging =====

Cisco recommends that you use the purpose designed NetFlow mechanism rather than other methods like SYSLOG.

It is as simple as a single command. You do not need to enable it on a interface by interface basis unlike  plain NetFlow

<code>
ip nat log translations flow-export v9 udp destination 10.17.17.17  2055
</code>


Where 10.17.17.17 is the IP Address of the NetFlow collector.


===== CGNAT mode =====


In CGNAT mode, Cisco ASR uses both NAT (Network Address Translation) and PAT (Port Address Translation) to carry multiple private IP into a single Public IP by partitioning the port space. 

CGNAT requires only source NAT for connections initiated from inside to the outside. Hence by default, only the source NAT/PAT is logged by the ''ip nat log translations'' command. You can use Trisul IPDR's HalfNAT to lookup in real time  and correlate with the destination IP.

Another option is to use ''log destination'' for CGNAT ((Cisco CGNAT configuration guide https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-9/nat-xe-16-9-book/iadnat-cgn.html)) 

<code>

ip nat settings log-destination
ip nat log translations flow-export v9 udp ipv6-destination 2001::2 30000 source GigabitEthernet0/0/3
ip nat log translations flow-export v9 udp destination 172.27.61.85 20000

</code>

{{:netflow:cgnatdocs.png?400|}}